HP 3600 v2 Series Configuration Manual page 293
Hide thumbs
Also See for 3600 v2 Series:
- Command reference manual (510 pages) ,
- Configuration manual (441 pages) ,
- Security configuration manual (398 pages)
Table of Contents
Advertisement
An SA uses the global lifetime settings when it is not configured with lifetime settings in IPsec policy
•
view. When negotiating to set up SAs, IKE uses the local lifetime settings or those proposed by the
peer, whichever are smaller.
•
You cannot change the creation mode of an IPsec policy directly. To create an IPsec policy in
another creation mode, delete the current one and then configure a new IPsec policy.
To directly configure an IPsec policy that uses IKE:
Step
1.
Enter system view.
2.
Create an IPsec policy
that uses IKE and enter its
view.
3.
Configure an IPsec
connection name.
4.
Assign an ACL to the IPsec
policy.
5.
Assign IPsec proposals to
the IPsec policy.
6.
Specify an IKE peer for
the IPsec policy.
7.
Enable and configure the
perfect forward secrecy
feature for the IPsec
policy.
8.
Set the SA lifetime.
9.
Enable the IPsec policy.
10.
Return to system view.
11.
Set the global SA lifetime.
With SAs to be established through IKE negotiation, an IPsec policy can reference up to six IPsec
transform sets. During negotiation, IKE searches for a fully matched IPsec transform set at the two ends of
Command
system-view
ipsec policy policy-name
seq-number isakmp
connection-name name
security acl acl-number
proposal
proposal-name&<1-6>
ike-peer peer-name
pfs dh-group14
sa duration { time-based
seconds | traffic-based
kilobytes }
policy enable
quit
ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }
280
Remark
N/A
By default, no IPsec policy exists.
Optional.
By default, no IPsec connection name is
configured.
By default, an IPsec policy references no
ACL.
An IPsec policy can reference only one
ACL. If you specify multiple ACLs for an
IPsec policy, only the last specified ACL
takes effect.
By default, an IPsec policy references no
IPsec proposal.
An IPsec policy cannot reference any IKE
peer that is already referenced by an IPsec
profile, and vice versa.
Optional.
By default, the PFS feature is not used for
negotiation.
For more information about PFS, see the
chapter "IKE configuration."
Optional.
By default, the global SA lifetime is used.
Optional.
Enabled by default.
N/A
Optional.
3600 seconds for time-based SA lifetime
by default.
1843200 kilobytes for traffic-based SA
lifetime by default.
Advertisement
Table of Contents
Troubleshooting
